Prioritizing Data Privacy to Insure your Startup’s Future

Executives at organizations of every size recognize that data privacy and cybersecurity matters must be taken seriously and prioritized by their teams. However, for start-up founders, managing data privacy and cyber security risk can feel like another task in a never-ending line of administrative duties needed to get your business up and running.

In our experience working with startups, we find that most business leaders in their early stages are laser-focused on sales, marketing and fundraising – at times to the detriment of their organization's risk management. Data privacy usually takes a back-seat to revenue-generating deliverables when time and resources are already stretched thin.

But simply put, ignoring your company's data privacy and cybersecurity obligations may undermine everything else that you are working for your startup to achieve.

A single data breach can be fatal to an emerging growth company.

Data breaches create a lack of trust and deter customers and investors from being excited about what your company can offer them.

These privacy issues are now so important - and highly visible, that savvy investors now require issuers to address and remediate any gaps in their data privacy and cyber security plans.

The National Venture Capital Association (NVCA) Model Legal Documents, the nationwide industry standard documents for venture capital (VC) financing, has addressed this in Section 5.13 of the model Investors' Rights Agreement.

In summary, this section provides that businesses do the following within 180 days of closing:

  • Identify protected data.
  • Implement cybersecurity solutions to protect the data.
  • Ensure routine maintenance of cybersecurity solutions
  • Require security vendors to provide notification of any incidents.
  • Evaluate cybersecurity measures at least annually.
  • Educate employees about the proper use and storage of protected data, including training.

What this Section 5.13 of the Investors' Rights Agreement makes clear is that the issuing company is obligated to address their data privacy and cybersecurity risks. Failure to do so can give investors the basis to allege breach of this contract, as well as claims for breach of fiduciary duty. That being said, this language is broad and still leaves a great deal up to the interpretation of the company.

Rather than waiting for conditions to be imposed by investors, all companies - and especially startups, should prioritize and proactively address their data privacy and cybersecurity risks.

In the wide world of continuously evolving data privacy and cybersecurity regulation and requirements, plotting a course to address these issues presents challenges is easier said than done.

To that end, we developed a checklist of things that startup CEOs, COOs, & CFOs should start with:

Snapshot of our Data Privacy and Cyber Security Checklist:

  • Protected Data Inventory and Mapping Risk Assessment
  • Data Privacy and Security Program plan
  • Development and implementation of privacy and security tasks
Han Santos attorneys can help your emerging growth company evaluate your data and work through the privacy checklist to ensure that your marketing efforts are not overshadowed by cybersecurity issues. Contact us to learn more.


Use of, access to, and information exchanged on this web page or any of the e-mail links contained within it cannot and does not create an attorney-client relationship between Han Santos, PLLC, and the user or browser. Please do not post any personal or confidential information. You should contact your attorney to obtain advice with respect to any particular issue or problem. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.